HID iCLASS™ security demystified

HID Access Control Application read with a standard OMNIKEY 5321 RFID reader - shown both in encrypted and decrypted form

As rumors are flying high, we would like to make some clarifications concerning the key vulnerabilities we found. The most important finding of our research is that HID iCLASS Standard Security cards can be easily read and copied with low cost consumer USB RFID readers due to the fact that the same two keys were used world-wide for all HID iCLASS Standard Security installations.

Demonstration Software

In a attempt to stop copying HID iCLASS standard security cards, HID global removed ContactlessDemoVC.exe' from the latest drivers and SDK sources. Additionally the write requests are now blocked with a 6986 error code by the driver. By installing the older SDK version CardMan_Synchronous_API_V1_1_1_4.exe and OMNIKEY5x21_V1_2_3_1.exe driver you can work around that limitation.

The iCLASS On-Air-Protocol is compatible to PicoPass. Enjoy page 43 which reveals that the actual card authentication doesn't use DES, but is "based on a proprietary symmetric cryptographic algorithm". This is especially exciting as we were able to extract the reader firmware that contains this crypto algorithm.

iCLASS Levels of Security - Explains which security mechanisms are used for each particular security level. It shows that for iCLASS high security the 3DES content encryption key (as used in Standard Security mode) can't be modified. Only iCLASS Elite seems to allow changing the 3DES content encryption key.

Cloning and modifying HID Standard Security iCLASS™ Cards

Every HID Standard Security iCLASS™ card can be copied, read, decrypted and modified using an off-the-shelf HID Omnikey USB reader (HID Omnikey 5312 and 6321 do fine - CLi versions are not needed) as the same encryption and authentication keys are shared across all HID iCLASS Standard Security installations. The used readers can be bought in most online computer stores - as they're the Volkswagen of RFID.

A Standard Security HID iCLASS RFID card can be read without the owners knowledge or consent wirelessly. Imagine for example copying a card from a back pocket or wallet in a subway without physical contact.

The keys needed for this attack were already extracted from old readers - but are valid for the latest HID iCLASS readers in Standard Security mode as well.

Once the content of a HID iCLASS Standard Security RFID card is read, it can be copied to a second Standard Security card. Blanks card are not needed for this attack.

Any Standard Security ICLASS Card can be overwritten with the content of any other Standard Security iCLASS card. As the card hardware ID is not transmitted to the back end it can't discover that a copy was presented to the system.

The back end system can't detect card copies, unless the attacker doesn't enter the building with his card copy while the the original owner is in the building (or vice versa) - creating a collision using the same card entering twice without leaving before. It's impossible to detect such a mismatch in systems where you don't have to swipe cards before leaving the site. Counters on the card won't help as long as these counters are not transmitted to the back end system and processed correctly or if these counters can be predicted.

New HID iCLASS Standard Security cards and tokens can be easily obtained over the internet in large quantities.

iCLASS Biometrics & PIN code security

HID Standard Security iCLASS cards with PIN code/biometrics don't provide additional security as such cards can be read/copied from other users, decrypted, modified if needed and re-encrypted. The fingerprint template can be changed to the fingerprint template of the attacker on HID Standard Security iCLASS cards - allowing the attacker to enter with his own finger print using the modified original card or a card copy.

iCLASS Reader Security and High Security mode

Extracting the High Security key from a reader is equally simple as extracting the Standard Security key. The only difference is that the High Security Key is stored at a different memory offset in the configuration EEPROM. The extracted high security key can't be used right away in an Omnikey desktop reader, as the card key derivation algorithm seems to be different for High Security Mode cards. It is possible to copy the extracted key to a configuration card or to the attackers reader.

Interestingly the configuration card for high security mode stores only 64 bit as authentication key from the original 128 bit high security key (all bits significant). As a result the High Security key which is stored in the reader configuration is only 64 bits. The content encryption 3DES key wasn't changed by the High Security configuration cards we tested - it remained the same as in standard security mode configuration. It looks like there are several levels of "High Security". The "High Security" cards we tested don't provide high security as they depend solely on a 64 bit secret and are thus vulnerable to brute-force attacks.

Cloning and modifying iCLASS reader configuration cards

Any Configuration Card for HID iCLASS Standard Security RFID Readers can be copied and/or modified with the described HID Omnikey 5312 and 6321 readers . The 3DES content encryption key and DES authentication key for configuration cards are the same as for Access Control Standard Security Cards. Again - blank cards are not needed for copying configuration cards, any standard security card can be used as a target for the copy.

Denial of Service of Standard Security Reader Installations is possible as attackers can create rogue configuration cards that turn Standard Security readers into High Security mode with a key only known by the attacker - rendering them unusable.

Cloning and modifying HID High Security iCLASS™ Cards

iCLASS High Secrity doesn't automatically mean that a 3DES key distinct from the High Security key has been used. We haven't seen High Security Systems yet with distinct payload key yet - but we believe they exist.

Although read requests can be sniffed easily and decode in most cases as the same 3DES keys are used as in Standard Security for content encryption, it isn't possible to copy one card content to a second card without knowing the card key, as write request require a cryptographic signature. This is also true in case of pre-authenticated cards in Man-In-The-Middle attacks.

Countermeasures

High Security and Elite Cards can't be copied, modified or read without knowing the customer specific keys - High Security Level 2 cards can be sniffed and decrypted.

Switching quickly from Standard Security mode to Elite Security is mandatory in order to increase the effort for possible attackers. It needs to be understood, that we don't claim that iCLASS High Security Level 3 (Elite or Field Programmer) mode is sufficiently secure for Access Control. The attack complexity for iCLASS High Security systems is higher than for iCLASS Standard Security mode systems. This increase of attack complexity hopefully gives the existing users the time needed to migrate to more secure cards and readers. In the longer run we discourage users from using iCLASS cards as the On-Air Protocol is not hardened against Man-In-The-Middle attacks and 32 bit signatures are used during the authentication sequence of the card.

Breaking Microchip PIC18F CPU copy protection

Initial OpenICSP Prototype which was used to extract the firmware out of a HID iCLASS RW400 reader (Microchip PIC18F452 CPU)

One of the challenges of breaking iCLASS RFID readers, was to extract the Firmware and the security keys of RW400 readers without leaving visible traces like breaking the case open. This challenge could be solved by finding a vulnerability in PIC18FXX2/XX8 micro controllers that allows dumping the firmware by only accessing the ICSP pins.

OpenICSP

A Spin-Off project for breaking the Copy Protection of the PIC18FXX2/XX8 is the upcoming OpenICSP project that provides a low level ICSP interface for PIC micro controllers - probably useful for evaluation security of other PIC micro controllers.

A first release of our code can be found in our repository. Full zip and tar.bz2 archives are available for download here. This is a very early hack for security evaluation of the PIC18 micro controller. The 12V programming voltage currently is switched manually - we will clean up the code and the hardware in the next few months and release it under http://www.OpenICSP.org .

As you can see in the picture on the right a standard TTL-232R-5V-WE cable from FTDI was used to access the CPU Debug interface on a low level. The 2-way switch in the picture was used to switch between 12V VPP programming voltage and 5V programming voltage manually. This manual switching of VPP will be done in software on a dedicated OpenICSP hardware release.